CVE-2018-16875

EPSS 0.96%
Veröffentlicht 14.12.2018 14:29:00
Zuletzt bearbeitet 21.11.2024 03:53:30
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.10.6

Golang ≫ Go Version >= 1.11.0 < 1.11.3

Opensuse ≫ Leap Version42.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.96%	0.757

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	7.8	10	6.9	AV:N/AC:L/Au:N/C:N/I:N/A:C
secalert@redhat.com	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html

https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0

https://security.gentoo.org/glsa/201812-09

Third Party Advisory

Mitigation